We are using a C# application I wrote about 5 years ago to post invoices into Xero. All I'm using is the XeroAPI.dll, which is version 1.1.0.27. I could really do with some advice as to what I need to do, if anything, to use the correct version of TLS.

All the programme does is at start up is to create a session using XeroApi.OAuth.XeroApiPrivateSession() with a Xero key and certificate. It then uses that to access the Xero API. Any advice welcomed!

@RavisankarYou can perform the SSL/TLS test by making a request to https://www.howsmyssl.comIt will return an response containing the report html.

TLS 1.0 result:Your client is using TLS 1.0, which is very old, possibly susceptible to the BEAST attack, and doesn't have the best cipher suites available on it. Additions like AES-GCM, and SHA256 to replace MD5-SHA-1 are unavailable to a TLS 1.0 client as well as many more modern cipher suites.

TLS 1.2 result:Your client is using TLS 1.2, the most modern version of the encryption protocol. It gives you access to the fastest, most secure encryption possible on the web.

Here is an outcome as a result of .net client application requesting https://www.howsmyssl.com.

The.Net application does not need any changes if target run-time framework is 4.6.0 or higher. Because the applications running with .Net Framework 4.6.0 onwards uses TLS 1.2 when making web request using .Net libraries from System.Net classes though the client libraries like Xero.Api SDK or third party libraries still developed with lower versions 4.0 to 4.5.2.

This document -https://developer.xero.com/tls1-deprecationsays "We’ve set up a test URL for you to test your app. if you can make successful requests to https://api-tls.xero.com then your integration will work after we make the changes on June 30"

So, if I want to get Invoices, do I send a request tohttps://api-tls.xero.com/Invoicesorhttps://api-tls.xero.com/api.xro/2.0/Invoicesor something else?

the https://api-tls.xero.com is purely to allow you to test you are using TLS1.1 or above. The intention is that you can attempt connection to this and only TLS1.1 or above connections will successfully connect.

You're endpoints should not change for any of the endpoints - so for Invoices you should still be using https://api.xero.com/api.xro/2.0/Invoices. If you are using one of the Xero supported SDKs, the devblog post lists the changes required.

If you are having a specific issue with a specific language not referenced by the devblog post, please reach out to api@xero.com.

We are not based on your SDK yet, we just contact your endpoint with HttpClient3, which after analysis seems not compatible with your test endpoint, at least when getting the invoices.We are now working on the issue to upgrade our solution with the use of your SDK.

Thank you.

EDIT: After checking the pom, it seems we were using a maven dependency called com.connectifier.xero:client:0.13

We have switched to Xero Java SDK version 1.0.5 as described in github, and have setup a Junit test to fetch the contacts with it.

We currently use a private test APP, have setup all necessary items (pfx file, consumer key + secret, etc. plus the config.json file)

When we override the ApiBaseUrl to https://api-tls.xero.com in our config.json file (to be able to test on the test endpoint), we get 0 contact. But when switching back to the normal one, we can correclty fetch the contacts.Is this an expected behaviour ?

Besides, we can see all the calls we do inside the APP Xero history, whether it is on the test endpoint or the normal endpoint.Also, but not really our main issue right now, we cannot see the response in the page when the call is ok, is it possible to change that ?

the api-tls.xero.com endpoint is purely to check you are using TLS 1.1 or above. It is recommended you use this as a once-off test during your development to confirm you are setting up correctly to use TLS1.1 or TLS1.2.

It is expected behaviour that you will not be able to access the API by changing the config.json ApiBaseUrl as this will cause all Xero accounting endpoints to not resolve correctly.

I'm trying to test that we are using TLS 1.1 or above by making a call to api-tls.xero.com, but I get response code 301. Does this constitute a successful connection? I can't find any reference to what response code 301 means in any of the Xero documentation or online support..

We understand that our production config.json file must point to the current endpoint (https://api.xero.com) and should remain that way even after the TLS 1.0 deprecation.We also understand that until that date, you provide the test endpoint (https://api-tls.xero.com) for your customers to test their compatibility.

What we don't understand is what you describe: "It is expected behaviour that you will not be able to access the API by changing the config.json ApiBaseUrl as this will cause all Xero accounting endpoints to not resolve correctly."In that case, how to test if we can't change the config.json ApiBaseUrl value that we use in our JUnit test case ? Also, the Xero endpoint does resolve correctly because every call on the test endpoint is shown with a HTTP response code 200 in the Xero APP history, as I said in my previous message.

Actually we are using Java Xero client for posting Xero Bills and for file attachment using the following URL (https://api.xero.com/api.xro/2.0/{Endpoint}/{Guid}/Attachments/{Filename}) . we are using TLSv1.2 version to connect Xero, our codes works fine from beginning . Do we need to do still any changes from our side for TLS 1.0 Deprecation and the Xero API . Kindly let us know. Also we did curl https://www.howsmyssl.comtesting also , please find the response below.

Your client is using TLS 1.2, the most modern version of the encryption protocol. It gives you access to the fastest, most secure encryption possible on the web.

Thanks . One more clarification , We are using TLSv1.2 version and com.connectifier.xeroclient.XeroClient JAR file (new XeroClient(pemFileReader, consumerKey, consumerSecretKey)) to connect Xero from Java . So far code is working fine.Do we need to do still any changes from our side for TLS 1.0 Deprecation and the Xero API. Kindly let us know. Expecting your valuable response.

if the code is working fine, thats great and no change is required. The client (your code) talking to Xero Server negotiates the security profile by telling the server what it supports. If you are setting TLS 1.2, Xero servers already support TLS 1.2, so that will be selected as part of the security negotiation as that is the highest level supported between client and server (until TLS 1.3 or above comes out).

We are trying to move our csharp assembly to TLS1.2 but get error below

The XeroAPI returned an ApiException response: You are attempting to connect to Xero using TLS 1.0 which has been deprecated. Please use a newer TLS version. Please Contact the API support team at api@xero.com for more assistance.

Our assembly is called from a VB6 app. Error does not happen when we run our assembly from a csharp winform. Why would that be ? It's excactly the same assembly. We madesure the things are implemented:

* Assembly is COM enables* Everything was working fine before your move to TLS1.x* Assembly is set to use .net fw 4.61* Gacutil file for .net fw 4.61 was used to register the file.

The call to set the security protocol should occur before ANY call to Xero API. If you put it in your initialisation of your app, that will work.

The security protocol is identifying your client talking to the Xero API supports TLS 1.2, so that during the first call to Xero API, the server will use the highest security level that is common to the client and server. As Xero servers support TLS 1.2, this will be selected for the underlying comms.

Alan above is using an explicit setting to one value - Tls12 security is a bitwise-or, so that allows more than one security protocol to be negotiated based on the highest level of support between the client and server.

Am getting the below exception while using xero attachment API, Posting Invoice is working fine after upgrade the TLS 1.2 version but this function not working , please kindly check it and help me to resolve this .